First things first: I don't know much about netapps. I am a security person, I don't deal with filers much.
I noticed a weird behavior with Netapp Active Directory authentication. Our netapps accept active directory account logins via ssh connections. So I use my Windows 2003 active directory account to login via ssh to netapps for certain things. I changed my active directory password today. 10 minutes later I ssh'ed into a netapp filer using my new password. Everything worked fine. Nothing odd here. The odd thing is when 5 minutes later I was able to logon with my old password. I thought I was going mad, so I tried it on 5 other netapps we have here, and I was able to logon with both my old and new password. What on Earth would make this happen? Can someone enlighten me on how this is even possible?
Now, putting my information security hat on, I say: This is a gross security hole, either by configuration or by design. If I have reason to believe that my AD account has been compromised and I think I'm safe when I change my password, guess what?? I'm not. I'll wait to hear from those who know more than I do about netapps.
ssh into the filer and run useradmin user list. Do you have an account with the same name as your active directory account? If yes, then that is your problem. You have a filer side account that had the same password as your previous active directory account. No security hole here, just bad administration practice.
If you don’t have an account on the filer from the previous step then while still ssh’d in execute the following:
cifs domaininfo - look at the output and see what domain controllers is knows about and which ones are favored.
cifs prefdc print - look at the output and see which DCs is configured to use
Now make sure that your active directory domain controllers that are listed in the above steps have replicated recently with the PDC Emulator using sites and services. Then try your old password again. So again, not a security hole, just poor AD replication performance.
I'm not gonna argue with you on the bad admin practices :-). You're right about that.
Anyway ... There are no accounts with my name on the netapp. The old password doesn't work any longer, so it could be an AD replication issue, however I was logging on from the same subnet as the Netapp, the first time with one password and the second time with the old password. This shouldn't be about replication, unless the Netapp is doing some kind of round robin among the domain controllers for authentication.
I see the following:
mynetapp> cifs domaininfo
NetBios Domain: mydomain Windows 2003 Domain Name: my.domain.name Type: Windows 2003 Filer AD Site: my site
Current Connected DCs: \\myadserver Total DC addresses found: 30 Preferred Addresses: None Favored Addresses: 10.0.10.4 myotheradserver PDC 10.0.10.107 PDC 10.0.10.222 PDC 10.0.10.212 PDC 10.0.10.232 PDC 10.0.10.137 PDC Other Addresses: 10.0.11.143 PDC 10.0.11.137 PDC
mynetapp> cifs prefdc print mydomain No preferred Domain Controllers configured.